Information Security Threat Models: Types and Description

Information technologies, using ever newer developments in the computer field, are finding new applications every day: from simple gadgets and personal computers to smart homes and autopilots of vehicles. All this leads to an increase in the volume of transmitted, used and stored data, which, in turn, creates more and more models of information security threats. So, more and more opportunities for attackers to take advantage of the weakness of outdated information protection systems. This article briefly discusses what threats are and what they are.

Threat Detection Mechanism

An analysis of security problems must be carried out taking into account economic interests, threats and losses, to which the success of the alleged attack on the information system of a particular enterprise can bring. A private model of information system security threats is based on the following analysis:

• source of the attack: external or internal relative to the protected object (enterprise, organization, etc.);
• accounting for all risk areas: the economic sphere of the company, physical and information resources;
• safety impact factors: the vulnerability of data and information, the degree of their security, software, enterprise computers and other devices, material and financial resources, employees;
• identification of types, scales and directions of possible attacks;
• ways to implement the threat: object of attack, mechanism and speed of action, predisposing vulnerability factors;
• consequences: evaluated in terms of monetary loss, non-pecuniary damage and possible compensation.

There are two main views on any threat. It is identified with one or more types and methods of implementing an attack in accordance with the theory of information security or with the results of its impact on the company in question, i.e. with the consequences that it leads to.

Legal aspects of information security threats

The threat model of the information system is considered in close connection with the concept of damage in the first part of the 15th article of the Civil Code of the Russian Federation. It is defined as the actual costs incurred by the entity as a result of a violation of his rights (theft of confidential information, its distribution or use for personal gain), loss and damage to property, and restoration costs.

In Russia, the issue of information security remains rather complicated to this day. Indeed, even now there is no generally accepted norm for terminology in this area. In different laws, the same entities can be defined in different ways. Although measures are being taken to standardize terminology in this area.

Threat classification

Any, even basic, model of information security threats requires analysis and mandatory identification of both possible attacks and methods of its implementation. For these purposes, various classifications have been created (by source, by probability, by nature, by object, by consequences), which allow the most accurate way to design the response of the defense to a particular attack. Threats are classified by the following criteria:

• Information system components that can be targeted. These include data, computers and software, networks and other structures that support the operation of the system.
• Implementation methods, which can be either random or deliberate. The events of technogenic or natural origin are also taken into account.
• The location of the attack source is external or internal to the system used.
• Information security components that can be targeted by attacks, namely accessibility, confidentiality and data integrity.

Analysis and classification make it possible to achieve the state of the protection system when most of the possible threats are identified and neutralization methods are compared. Of course, it makes no sense to build every defense system for defense against everything and everything. A probabilistic approach is applied and the relevance of each individual class of threats is evaluated, and it is against them that measures will be taken in the protection system.

Algorithm of analysis and assessment of threats

Using the analysis, a matrix of relationships between information security threat models, vulnerabilities and the likely consequences of a successful attack is built. The hazard coefficient of each individual attack is calculated as the product of the hazard hazard coefficient and the hazard coefficient of the source of the attack. The adoption of such measures allows:

• identify priority goals for the protection system;
• establish a list of relevant attacks and sources of threats;
• find information system vulnerabilities;
• evaluate the possibility of a successful attack based on the relationship of vulnerabilities and sources of threats;
• develop a detailed course of a particular threat and build a defense to respond to a possible attack scenario;
• describe in detail the consequences of a successful attack;
• design a security system and an information security management system for the organization.

System users as the main source of threats

The FSTEC information security threat model puts the mistakes of personnel (users, administrators, operators and other persons involved in system maintenance) at one of the first places in terms of the amount of damage caused. According to research, about 65% of losses in successful attacks are due to random errors committed by carelessness, negligence, or due to the lack of proper training for employees. Such violations can represent both a source of independent threats (entering incorrect data, errors in programs that lead to a system crash), and a vulnerability (administrator errors) that attackers can take advantage of.

System users as a direct threat

As previously noted, the user himself can be dangerous and be a model of information security threats. Examples of such a situation will be considered below:

• malicious - the failure of the information system, or, for example, the laying of a logical bomb in the database code, which will work under certain conditions and destroy the information stored in it;
• unintentional - accidental data corruption or loss;
• hacking management system;
• identity theft (passwords, addresses, bank accounts);
• transfer of personal data to unauthorized persons or organizations.

System users as an indirect threat

Vulnerabilities in the system should also be considered in the threat model of information security organizations. Examples of the validity of this approach can be user actions that lead to weakened system security and open the way to a direct threat:

• refusal to work with an information system, for example, as a result of a reluctance to learn new software;
• software mismatch with user requirements;
• the impossibility of full-fledged work due to a lack of appropriate skills (insufficient knowledge of computer technology, inability to process error messages) and the resulting system malfunctions.

Automation and Threats

The user can be a significant list of threats to the information system. Therefore, a logical decision to combat unintentional errors will be to reduce their share and move to automation: using the dogma Fool Proof Device, standardization, regulation and strict control of user actions. However, here there are models of information security threats that should be taken into account:

• Forgotten cancellation of access to the system of the dismissed employee;
• poor-quality documentation of the automated system and lack of technical support;
• violation of the rules of operation, whether accidental or intentional;
• exit from the normal mode of operation due to user actions (too many requests) or administrative staff (poor assessment of the amount of processed data per unit time);
• configuration errors;
• hardware and software failures;
• violation of data integrity due to system malfunctions.

Other threats

In addition to its basic structure, the information system also includes an auxiliary one, which ensures the operation of the main parts of the system. Supporting structures should also consider information security threat models. An example of such are man-made and natural disasters. Let us describe in more detail threats of a larger nature:

• Violations in the operation of communication systems (Internet, electric network, water utilities, gas supply, cooling).
• Damage or destruction of buildings.
• Emergencies in a city or country when citizens, for whatever reason, refuse to fulfill their duties: civil wars, major accidents, terrorist bombings or their threat, strikes, etc.
• Natural disasters.

According to statistics, natural and man-made disasters account for 13% to 15% of losses suffered by information systems. By virtue of this circumstance, there are even those information systems that need to continue to operate normally, even despite natural disasters.

Types of Protected Information

Any organization, one of the resources of which is information, can have private models of threats to information security. They will be generated by the internal structure of this company, which is formed on the basis of divisions, employees, technical means, economic relations, internal social relations, etc. Therefore, the total mass of internal and external information, the system and technologies serving it, specialists and personnel make up information technological resource.

So, for any commercial company, information can be divided into: official, confidential, secret, commercial secret. Although for any non-governmental organization, information is divided into fairly simple classes. But even in a simplified case, everything should be strictly classified and fixed by the relevant regulatory acts, so that it would be possible to build a correct and, most important, working system of information protection.

Total

The competent organization of an information security system is a complex process, and often expensive. To accomplish this task, it is necessary to carry out a detailed inventory of all resources with information, break down all the data into categories, perform a classification of information security threat models, design and develop a protection system, including all regulatory documents, select hardware and software tools sufficient to implement the work process properly level in compliance with information protection, etc.

The organization of information protection requires competent specialists in this field and competent company management, which will be ready to comply with the required safety standards and allocate resources to support them.